Azure Active Directory configuration

This how-to guide describes how to configure Unit4 Identity Services with Azure Active Directory (AAD).

Prerequisites

• Administrative access to Azure Active Directory (AAD)
• Knowledge of AAD and how to create an AAD application
• U4IDS authority address (in the rest of this topic we use the value of https://<u4ids basepath>/identity as the address of the U4IDS installation's identity endpoint)
• Access to U4IDS in order to create tenant

The list of official IDS environments can be found here

Steps

Setup trust between U4IDS and your AAD as follows:

1. Register U4IDS as an application in AAD
   1. Create a new AAD application
   2. Generate a secret
   3. Register U4IDS reply urls
2. Register the AAD application as a tenant in U4IDS
   1. Select a unit4IdClaimType
   2. Get the authority
   3. Get the idpRegId

Register U4IDS as an application in AAD

Follow these steps:

Create a new AAD Application

Choose the correct AAD if you have access to multiple AADs

Log in to Azure portal: https://portal.azure.com/ and go to Azure Active Directory:

and go to App registration menu:

click New registration:

Enter your application name, select account type and provide 1 of required Redirect Uris properly as below and register your application:

Generate a secret

Create a secret:

Set expire time:

Register U4IDS reply urls

Navigate to Authentication menu and make sure the Reply URL contains two U4IDS installation addresses:

• one for redirect to ids: https://<address of U4IDS installation>/identity/callback
• one for post logout : https://<address of U4IDS installation>/identity/postlogoutcallback)

Also make sure that the ID tokens checkbox is ticked.

In the Token configuration menu you can configure your claims:

Register the AAD application as a tenant in U4IDS

After the above steps are done, the collected information may be inserted into the Tenant resource in U4IDS.

See Identity providers in tenants for more information.

Select a unit4IdClaimType

For the unit4IdClaimType claim type upn is used in this example. Claim upn (User Principal Name) is a good choice for identifier from AAD because it is also human readable (on the form user@domain.com). To support externally invited users, email is added as a secondary mapping option. sub or oid are other alternatives, unique but not human readable, and best suited for integration scenarios. In this example we use sub as a third fallback option.

Get the authority

Authority is https://login.microsoftonline.com/<your AAD directory ID>. To locate the AAD directory ID go to AAD. In the properties of the Manage section you will see the directory ID:

Get the idpRegId

The idpRegId in AAD is the Application ID.